Auditing Events From Custom Security Providers 12-9

12.2.2.1 Example: Obtaining and Using the Auditor Service to Write Role Audit Events

Example 12–2 illustrates how a custom Role Mapping providers runtime class called MyRoleMapperProviderImpl.java would obtain the Auditor Service and use it to write out audit events. Example 12–2 MyRoleMapperProviderImpl.java package mypackage; import javax.security.auth.Subject; import weblogic.management.security.ProviderMBean; import weblogic.security.SubjectUtils; import weblogic.security.service.ContextHandler; import weblogic.security.spi.AuditorService; import weblogic.security.spi.RoleMapper; import weblogic.security.spi.RoleProvider; import weblogic.security.spi.Resource; import weblogic.security.spi.SecurityServices; public final class MyRoleMapperProviderImpl implements RoleProvider, RoleMapper { private AuditorService auditor; public void initializeProviderMBean mbean, SecurityServices services { auditor = services.getAuditorService; ... } public Map getRolesSubject subject, Resource resource, ContextHandler handler { ... if auditor = null { auditor.providerAuditWriteEvent new MyRoleEventImplsubject, resource, context, why logging this event, null; no exception occurred } ... } }

12.2.2.2 Auditing Management Operations from a Providers MBean

A SecurityServices object is passed into a security providers implementation of a Provider SSPI as part of the initialize method. For more information, see Section 3.2.2, Understand the Purpose of the Provider SSPIs. The provider can use this objects auditor to audit provider-specific security events, such as when a user is successfully logged in. A security providers MBean implementation is not passed a SecurityServices object. However, the provider may need to audit its MBean operations, such as a user being created. Note: The MyRoleMapperProviderImpl.java class relies on the MyAuditRoleEventImpl.java class from Example 12–1 . 12-10 Developing Security Providers for Oracle WebLogic Server To work around this, the providers runtime implementation can cache the SecurityServices object and use a provider-specific mechanism to pass it to the providers MBean implementation. This allows the provider to audit its MBean operations. The Manageable Sample Authentication Provider available at https:codesamples.samplecode.oracle.comservletstracking?id=S 224 on the Oracle Technology Network Web site shows one way to accomplish this task. The sample provider contains three major implementation classes: ■ ManageableSampleAuthenticationProviderImpl contains its security runtime implementation. ■ ManageableSampleAuthenticatorImpl contains its MBean implementation. ■ UserGroupDatabase is a helper class used by ManageableSampleAuthenticationProviderImpl and ManageableSampleAuthenticatorImpl. The code flow to cache and obtain the SecurityServices object is as follows: 1. The ManageableSampleAuthenticationProviderImpls initialize method is passed a SecurityServices object. 2. The initialize method creates a UserGroupDataBase object and passes it the SecurityServices object. 3. The UserGroupDataBaseObject caches the SecurityServices object. The initialize method also puts the UserGroupDatabase object into a hash table using the realms name as the lookup key. 4. The ManageableSampleAuhenticatorImpls init method finds its realm name from its MBean. 5. The init method uses the realm name to find the corresponding UserGroupDataBase object from the hash table. 6. The init method then retrieves the SecurityServices object from the UserGroupDatabase object, and uses its auditor to audit management operations such as createUser.

12.2.2.3 Example: Auditing Management Operations from a Providers MBean